Image forming apparatus, user restriction method and use history generation method

ABSTRACT

An image forming apparatus is provided, in which the image forming apparatus includes a user database in which user identification information for identifying an user of the image forming apparatus is registered, an operation panel for receiving a key operation input, a secure program used for determining whether a user service can be provided on the basis of the user identification information in the user database and another user identification information input by the user.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation application of, and claims thebenefit of priority under 35 U.S.C. §120 from, U.S. application Ser. No.13/285,952, filed Oct. 31, 2011, herein incorporated by reference, whichis a continuation of U.S. Pat. No. 8,064,078, issued Nov. 22, 2011,herein incorporated by reference, which is a continuation of U.S. Pat.No. 7,787,137, issued Aug. 31, 2010, herein incorporated by reference,which is a continuation of U.S. Pat. No. 7,280,238, issued Oct. 9, 2007,herein incorporated by reference, which claims the benefit of priorityunder 35 U.S.C. §119 from Japanese Patent Applications Nos. 2001-324111,filed Oct. 22, 2001 and 2002-303169, filed Oct. 17, 2002.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an image forming apparatus which canperform restriction of use and can obtain history information on statusof use when the image forming apparatus provides user services relatedto image forming processes such as copying, printing, scanning andsending facsimile. In addition, the present invention relates to a userrestriction method and a use history generation method.

2. Description of the Related Art

Recently, an image forming apparatus (to be referred to as a compoundmachine hereinafter) that includes functions of a printer, a copier, afacsimile, a scanner and the like in a cabinet is generally known. Thecompound machine includes a display part, a printing part and an imagepickup part and the like in a cabinet. In the compound machine, threepieces of software corresponding to the printer, copier and facsimilerespectively are provided, so that the compound machine functions as theprinter, the copier, the scanner and the facsimile respectively byswitching the software.

Since the conventional compound machine is provided with each softwarefor the printer, the copier, the scanner and the facsimile individually,much time is required for developing the software. Therefore, theapplicant has developed an image forming apparatus (compound machine)including hardware resources, a plurality of applications, and aplatform including various control services provided between theapplications and the hardware resources. The hardware resources are usedfor image forming processes of a display part, a printing part and animage pickup part. The applications perform processes intrinsic for userservices of printer, copier and facsimile and the like. The platformincludes various control services performing management of hardwareresource necessary for at least two applications commonly, executioncontrol of the applications, and image forming processes, when a userservice is executed.

Since the image forming apparatus includes the platform that performsmanagement of hardware resources used by at least two applicationscommonly, and that performs execution control and image formingprocesses, software can be developed efficiently, so that productivityfor the machine can be improved.

However, as for such compound machine, it is not desirable, from theviewpoint of security, that every user can use all functions of theprinter, copier, scanner and facsimile without restriction. For example,it may be necessary to restrict use of the compound machine or use ofsome functions of the compound machine according to a section the userbelongs to or according to a position of the user.

The user of the compound machine uses functions of the printer, copier,scanner and facsimile for various purposes. Thus, by recording status ofuse such as a use purpose as history information, it becomes possible tostrengthen security in consideration of past use status.

However, since each piece of software is provided for each of thefunctions of the printer, the copier, the scanner and the facsimileaccording to the conventional compound machine, it is necessary toprovide a security function to each piece of software for strengtheningsecurity of the compound machine. Thus, there is a problem in thatenormous amounts of developing work is necessary and the structure ofthe software is complicated.

SUMMARY OF THE INVENTION

An object of the present invention is provide an image formingapparatus, a user restriction method, a use history generation methodand a program for easily realizing enhancement of security.

The above object is achieved by an image forming apparatus, including:

at least an application for providing a user service relating to animage forming process;

an operation panel for receiving a key operation input;

a user database in which user identification information for identifyingan user of the image forming apparatus is included;

a secure program used for determining whether the user service can beprovided on the basis of the user identification information in the userdatabase and another user identification information input by the user.

According to this image forming apparatus, use of the image formingapparatus can be restricted to users registered beforehand, so thatsecurity improves for the image forming apparatus.

In addition, the above object is achieved by an image forming apparatus,including:

at least an application for providing a user service relating to animage forming process;

an operation panel for receiving a key operation input;

a secure program for requesting a user to input use information on usestatus of the image forming apparatus, and generating use historyinformation on the use information; and

a control program for obtaining a key event on the use information inputfrom the operation panel, and sending the key event to the secureprogram.

According to this image forming apparatus, use history can be recorded,so that security improves by using the use history.

Since the new compound machine developed by the applicant has adistinctive structure including applications and the control service forproviding a service necessary for at least two of the applications, itis easy to develop new software as a new application or as a new controlservice. Thus, it becomes easy to add software for realizing thesecurity function by using the distinctive structure.

BRIEF DESCRIPTION OF THE DRAWINGS

Other objects, features and advantages of the present invention willbecome more apparent from the following detailed description when readin conjunction with the accompanying drawings, in which:

FIG. 1 is a block diagram of an image forming apparatus according to thefirst embodiment of the present invention;

FIG. 2 shows a hardware configuration of the compound machine 100according to the first embodiment;

FIG. 3 is a figure for explaining the whole user restriction processaccording to the compound machine 100 of the first embodiment;

FIG. 4 shows a data structure of a record registered in the userdatabase 320;

FIG. 5 is a flowchart showing a process procedure at the time when thecompound machine 100 is launched by the SCS 122 in the compound machineof the first embodiment;

FIG. 6 is a flowchart showing the process procedure of the userrestriction of the secure application 117;

FIG. 7 is a flowchart showing a procedure for obtaining key operationsfrom the operation panel 210 in the OCS 126 and the SCS 122 according tothe compound machine of the first embodiment;

FIG. 8 is a flowchart showing a procedure of the process for changingcontrol right by the SCS 122 according to the compound machine 100 ofthe first embodiment;

FIGS. 9A-9C shows examples of screens displayed on the display part ofthe operation panel 210 in the user restriction process;

FIG. 10 shows a process flow in the case where the secure application117 is not set as the priority application;

FIG. 11 is a flowchart showing a process procedure of user restrictionby the secure application 117 in the compound machine 100 according tothe second embodiment;

FIG. 12 is a figure for explaining flow of the user restriction processand user history generation process by the compound machine 100according to the third embodiment;

FIG. 13 is a flowchart showing a procedure of the user restrictionprocess and the use history generation process performed by the secureapplication 117;

FIGS. 14A-14C are examples of the screen displayed on the display partof the operation panel 210 in the use history generation process;

FIG. 15 shows an example of the use history file 1735;

FIG. 16 is a block diagram of a remote centralized management systemincluding the compound machine according to the third embodiment;

FIG. 17 is a block diagram showing a functional configuration of acompound machine 1600 according to the fourth embodiment;

FIG. 18 is a figure for explaining flow of the use restriction processand the use history generation process;

FIG. 19 shows a user restriction/use history selection screen;

FIG. 20 is a flowchart showing a procedure for obtaining a key operationfrom the operation panel 210 by the OCS 126 and the SCS 122.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In the following, embodiments of an image forming apparatus, a userrestriction method, a use history generation method and a program forcausing a computer to execute the methods of the present invention willbe described with reference to figures.

First Embodiment

FIG. 1 is a block diagram of an image forming apparatus (to be referredto as a compound machine hereinafter) according to the first embodimentof the present invention. As shown in FIG. 1, the compound machine 100includes hardware resources and a software group 110. The hardwareresources include a black and white line printer (B&W LP) 101, a colorline printer 102, and hardware resources 103 including a scanner, afacsimile, a hard disk and a network interface. The software group 110includes a platform 120 and applications 130.

The platform 120 includes control services for interpreting a processingrequest from an application to issue an acquiring request for thehardware resource, a system resource manager (SRM) 123 for managing oneor more hardware resources and arbitrating acquiring requests from thecontrol service, and a general-purpose OS 121.

The control services include a plurality of service modules including asystem control service (SCS) 122, an engine control service (ECS) 124, amemory control service (MCS) 125, a fax control service (FCS) 127, and anetwork control service (NCS) 128. In addition, the platform 120 hasapplication program interfaces (API) that can receive process requestsfrom the applications 130 by using predetermined functions.

The general purpose OS 121 is a general purpose operating system such asUNIX, and can execute each piece of software of the platform 120 and theapplications 130 concurrently.

Processes of the SRM 123 are for performing control of the system andperforming management of resources with the SCS 122. The processes ofthe SRM 123 perform arbitration and execution control for requests fromthe upper layer that uses hardware resources including engines such asthe scanner part and the printer part, a memory, a HDD file, a host I/Os(Centronics I/F, network I/F IEEE1394 I/F, RS232C I/F and the like).

Specifically, the SRM 123 determines whether the requested hardwareresource is available (whether it is not used by another request), and,when the requested hardware resource is available, notifies the upperlayer that the requested hardware resource is available. In addition,the SRM 123 performs scheduling for using hardware resources for therequests from the upper layer, and directly performs processescorresponding to the requests (for example, paper transfer and imageforming by a printer engine, allocating memory area, file generation andthe like).

The processes of the SCS 122 perform application management, control ofthe operation part, display of system screen, LED display, resourcemanagement, and interrupt application control. In addition, in thecompound machine in the first embodiment, the SCS 122 sends anotification message o providing control right for the operation panel210 to each application 130, and the SCS 122 receives a key event fromthe operation panel 210 via the OCS 126.

Processes of the ECS 124 control hardware resources including the whiteand black line printer (B&W LP) 101, the color line printer (Color LP)102, the scanner 104, and the facsimile 104. The process of the MCS 125obtains and releases an area of the image memory, uses the hard diskapparatus (HDD), and compresses and expands image data.

The processes of the FCS 127 provide APIs for sending and receiving of afacsimile from each application layer of the system controller by usinga PSTN/ISDN network, for registering/referring of various kinds offacsimile data managed by BKM (backup SRAM), for facsimile reading, forfacsimile receiving and printing, and for mixed sending and receiving.

The NCS 128 is a process for providing services commonly used forapplications that need the network I/O. The NCS 128 distributes datareceived from the network by each protocol to a correspondingapplication, and acts as mediation between the application and thenetwork when sending data to the network.

The OCS 126 controls an operation panel 210 that is a means fortransferring information between the operator (user) and control partsof the machine. In the compound machine 100 of the first embodiment, theOCS 126 includes an OCS process part and an OCS function library part.The OCS process part obtains an key event, which indicates that the keyis pushed, from the operation panel 21, and sends a key event functioncorresponding to the key event to the SCS 122. The OCS function libraryregisters drawing functions and other functions for controlling theoperation panel, in which the drawing functions are used for outputtingvarious images on the operation panel on the basis of a request from anapplication 130 that has control right or from the control service. TheOCS function library corresponds to the service function library of thepresent invention. When the application 130 is developed, functions inthe OCS function library is linked to an object program that isgenerated by compiling a source code file of the application 130, sothat an executable file of the application 130 is generated.

Although the OCS 126 is formed by the part executed by a process and theOCS function library in the compound machine 100 of the firstembodiment, the OCS 126 can be configured such that the whole of the OCS126 operates as a process, or such that the whole of the OCS 126 isformed by the OCS function library.

The application 130 includes a printer application 111 that is anapplication for a printer having page description language (PDL) and PCLand post script (PS), a copy application 112, a fax application 113 thatis an application for facsimile, a scanner application 114 that is anapplication for a scanner, a network file application 115 and a processcheck application 116, and a secure application 117 for performing aprocess of restricting use of the compound machine 100 by a use and aprocess of restricting use of some functions.

The secure application 117 performs a user restriction process, in whichthe secure application 117 checks a user of the compound machine 100 byusing a user code, and restricts use of the compound machine 100 suchthat only a user having the user code registered in an after-mentioneduser database 320 can use the compound machine. In addition, on thebasis of rights of use registered in the user database 320, the secureapplication 117 can provide only functions for which the user has theright of use among user services such as copy, printer, scanner andfacsimile. In addition, the secure application 117 requests theoperation panel 210 to display various screens at the time of the userrestriction process. The detailed operations of the secure application117 will be described later.

FIG. 2 shows a hardware configuration of the compound machine 100according to the first embodiment. As shown in FIG. 2, the compoundmachine 100 includes a controller board 200, an operation panel 210, afax control unit (FCU) 220, a USE 230, an IEEE1394 240, and a printer250. The controller board 200 includes a CPU 202, a SDRAM 203, a SRAM208, a flash memory (flash ROM) 204, a flash card interface part 206 anda HD 205 that are connected to the ASIC 201. The operation panel 210 isdirectly connected to the ASIC 201. The FCU 220, the USB230, theIEEE1394 240 and the printer 250 are connected to the ASIC 201 via thePCI bus.

The SRAM 208 is a nonvolatile RAM including a priority application areain which applications having control right are registered. The SDRAM 203keeps the priority application area copied from the SDRAM 208 by the SCS122, an application registration area for registering applications thatoperates on the compound machine 100, and a shared memory area. Theshared memory area is used for interprocess communication between aprocess of the application 130 and a process of the SCS 122. The SDRAM203 forms a memory part of the present invention.

A flashcard 207 is inserted into a flash card interface part 206, sothat data is sent/received between the compound machine 100 and theflashcard 207 via the flash card interface part 206. The flashcard 207stores billing information of the user and the like.

The operation panel 210 includes an operation part used for keyoperation such as key input and button pushing and the like by the user,and an display part for displaying drawing data such as various screens.

Next, the user restriction process will be described according to thecompound machine 100 of the first embodiment. FIG. 3 is a figure forexplaining the whole user restriction process according to the compoundmachine 100 of the first embodiment. As shown in FIG. 3, the SRAM 208keeps the priority application area 321, and the SDRAM 203 keeps anapplication registration area 322, a priority application area 323 and ashared memory area 324.

The hard disk (HD) 205 stores a user database 320. The user data base320 is a file for managing users who can use the compound machine 100.FIG. 4 shows a data structure of a record registered in the userdatabase 320. As shown in FIG. 4, the user database 320 registers dataincluding “user code”, “user name”, “section”, and “right of use” as onerecord.

The “user code” is an identification code uniquely determined for eachuser, and corresponds to user identification information of the presentinvention. “user name” is the name of the user, and “section” is asection to which the user belongs. “right of use” indicates a userservice that the user can use. The “right of use” corresponds to useright information of the present invention. In the “right of use”, auser service that the user can use is set among user services such as“copy”, “printer”, “scanner”, “facsimile”, “copy server” and the like.When the user can use a plurality of services, a plurality of servicenames are set in the “right of use”, for example, “copy: facsimile”.

FIG. 5 is a flowchart showing a process procedure at the time when thecompound machine 100 is launched by the SCS 122 in the compound machineof the first embodiment. In the following, the process of the SCS 122when launching the compound machine 100 will be described.

When the power is turned on, hardware is initialized and diagnosed by acompound machine initialization part, which is not shown in the figure.Then, the general OS 121 is launched. Then, the control service islaunched on the general OS 121 by the compound machine initializationpart. After that, each application 130 is launched.

Every application 130 launched on the compound machine 100 sends anapplication registration request message to the SCS 122 in steps S301and S302. The SCS 122 receives the application registration requestmessage from each application 130, and registers the applications bystoring identification IDs in the application registration area of theSDRAM 203 for each application in steps S303, S501. Therefore, theapplications 130 operating on the compound machine 100 can be grasped byreferring to the application registration area 322 of the SDRAM 203.

Next, the SCS 122 checks whether the secure application 117 isregistered in the application registration area 322 in the SDRAM 203 inorder to check whether the secure application 117 exists in the compoundmachine 100 in steps S502 and S303.

When the secure application 117 is registered, content in the priorityapplication area 321 of the SRAM 208 is copied as it is in the priorityapplication area 320 of the SDRAM 203 in steps S503 and S304. Then,“secure application” is set for the priority application area 323 insteps S504 and S305. This setting means that control right is providedto the secure application 117, that is, right for accessing theoperation panel 210 is provided. The SCS 122 sends a notificationmessage, to the secure application 117, indicating that the controlright is provided in steps S505 and S306.

In step S502, if “secure application” is not registered in theapplication registration area 322 in the SDRAM 203, it is determinedthat the secure application 117 does not exist, the SCS 122 sends anotification message, to the application 130, indicating control rightis provided in step S506, so as to perform normal processes of thecompound machine without any user restriction.

Next, the user restriction process by the secure application 117 withthe control right will be described. FIG. 6 is a flowchart showing theprocess procedure of the user restriction of the secure application 117.FIGS. 9A-9C shows examples of screens displayed on the display part ofthe operation panel 210 in the user restriction process.

When the secure application 117 receives the notification messageindicating that the control right is provided from the SCS 122 in stepS601, the secure application 117 displays an initial screen (not shown)on the operation panel 210, after that, displays a user selection screenshown in FIG. 9A in step S602. On the user selection screen, theregistered user names are displayed for each tab corresponding to asection (planning, technology, sales, purchase, quality management) byreferring to the user database 320 of the HD 205.

Displaying the screen on the operation panel 210 is performed by the OCS126 according to a display request of the secure application 117. Thatis, the secure application 117 specifies drawing information(identification information such as a window ID and a button ID) to bedisplayed so as to call drawing functions to the OCS 126 in step S307.Then, the OCS 126 displays specified drawing information in step S308.

When the user name button is selected on the user selection screen, thekey event is sent to the secure application 117. These operations suchas key input and button pushing from the operation panel 210 arenotified of to the secure application 117 via the OCS 126 and the SCS122 as shown in FIG. 3 in steps S309, S310 and S311. More concretely,following processes are performed in the OCS126 and the SCS 122.

FIG. 7 is a flowchart showing a procedure for obtaining key operationsfrom the operation panel 210 in the OCS 126 and the SCS 122 according tothe compound machine of the first embodiment. As shown in FIG. 7, whenkey operation is performed on the operation panel 210, the OCS 126issues a key event function corresponding to a pushed key or button soas to send a key event to the SCS 122 in step S701.

The key event function is called in the SCS 122 so that the SCS 122receives the key event in step S702. Then, the SCS 122 sends thereceived key event to the application set in the priority applicationarea 323 in the SDRAM 203 in step S703. Since the application 130 havingcontrol right on the operation panel 210 is currently set in thepriority application area 323 in the SDRAM 203, the key operation isnormally processed.

When the selection button of the user name is pushed on the userselection screen of step S602, the key event is sent to the secureapplication 117 via the OCS 126 and the SCS 122 since the secureapplication 117 having control right is set in the priority applicationarea of the SDRAM 203.

When the user name is selected, the secure application 117 displays auser code input screen shown in FIG. 9B in step S603, and enters awaiting state of user code in step S604. When the user code is input,the secure application 117 determines whether a user code of theselected user name and a user code input from the operation panel arethe same in steps S605 and S312.

When they are not the same, a user code error is displayed on theoperation panel 210 in step S609, and the user input screen is displayedagain in step S603. When they are the same, it is determined that theinput user code is correct, the secure application obtains informationon right of use from a record corresponding to the user code in stepS606. The information includes a list of names of user services that canbe used by the user, and as shown in FIG. 9C, the secure application 117displays a function selection screen showing buttons of the listed userservices in selectable manner in step S607. The example shown in FIG. 9Cshows a case in which “copy: facsimile” is set as the use of right inthe record of the user database 320. That is, the function selectionscreen of FIG. 9C shows buttons such that the “copy” button and the“facsimile” button which are diagonally shaded are selectable, otherbuttons are not selectable.

When the user pushes a button on the function selection screen, thesecure application 117 obtains the selected service name via the OCS 126and the SCS 122 in steps S309, S310 and S311, and notifies the SCS 122of the selected service name in steps S608 and S313. Accordingly, theuser restriction process by the secure application 117 ends.

Next, a process for changing control right will be described. Thisprocess is performed by the SCS 122 that received the selected servicename. FIG. 8 is a flowchart showing a procedure of the process forchanging control right by the SCS 122 according to the compound machine100 of the first embodiment.

As shown in FIG. 8, when the SCS 122 receives the service name selectedby the user from the secure application 117 in step S801, the SCS setsan application name corresponding to the received service name in thepriority application area 323 of the SDRAM 203 in steps S802 and S314.For example, when the SCS 122 receives “copy” or “copy server” as theservice name, “copy application” is set in the priority application area323. When “scanner” is received, “scanner application” is set in thepriority application area 323. Then, the SCS 122 sends a notificationmessage, to the application set in the priority application area 323,indicating that control right is provided in step S803 and the S315.Accordingly, control is changed from the secure application 117 to theapplication that the user selected. FIG. 3 shows an example that thecontrol is changed to the copy application 112 as a priorityapplication. In the first embodiment, an application name correspondingto the service name received in step S801 is once set in the priorityapplication area 323, and then, the control right is provided to theapplication set in the priority application area 323. However, afterreceiving the service name, notification message of providing thecontrol right may be directly sent to the application without settingapplication name in the priority application area 323.

When the process in the application 130 after change of control ends,the application notifies the SCS 122 that the process ends in order tochange control right to other application and the like in step S316.

As mentioned above, according to the compound machine of the firstembodiment, the secure application 117 restricts use of the compoundmachine 100 on the basis of the user code registered in the userdatabase 320, and restricts usable functions on the basis of right ofuse registered in the user database 320. Thus, security of the compoundmachine improves.

Although restriction of use is described taking copy processing as anexample, the restriction of use can be applied to other applications.

In addition, although the priority application area 321 of the SRAM 208is copied to the SDRAM 203 so that information of the priorityapplication area 323 in the SDRAM 203 is changed to “secure application”according to the first embodiment, the change of setting can beperformed by referring to the priority application area 321 in the SRAM208 without performing copy to SDRAM 203.

In the above-mentioned embodiment, the secure application 117 is set asa priority application, so that the user selection screen and the likeis displayed next to the initial screen. However, even though the secureapplication 117 is not set as the priority application, the userrestriction (user authentication) process can be performed. FIG. 10shows a process flow in such a case.

After the power of the compound machine 100 is turned on, a screen for adefault application (for example, copy application) is displayed on theoperation panel in step S651. Or, a screen used for selecting anapplication is displayed on the operation panel. Next, a screen isdisplayed by the secure application 117 when a predetermined operationis performed for the default application, or when an application isselected on the operation panel in step S652. Then, the before-mentionedauthentication of the user is performed on the basis of input by theuser in step S653. If the user is authenticated, the user can use anapplication in step S654. If the user is not authenticated, the processgoes back to step 651. In order to launch the default application or theapplication selection screen, for example, the control right may begiven to the default application or to a program for displaying theapplication selection screen. Other than this process flow, for example,the authentication can be performed by executing the secure applicationwhen an application is changed to another application.

This configuration in which the secure application 117 is not set as apriority application can be applied to other embodiments.

Second Embodiment

The user restriction process is performed by inputting the user codefrom the operation panel 210 according to the compound machine 100 ofthe first embodiment. On the other hand, according to the secondembodiment, the user restriction process is performed by using aflashcard.

The functional configuration, hardware configuration and process flow ofuser restriction and data structure of the user database 320 are thesame as those shown in FIGS. 1-4 described in the first embodiment. Inthe compound machine 100 of the second embodiment, the user code foridentifying the user is recorded in the flashcard 207. The flashcard 207is inserted into the flashcard interface part 206, so that the user codeis read from the flashcard 207. The flashcard corresponds to therecording medium of the present invention.

FIG. 11 is a flowchart showing a process procedure of user restrictionby the secure application 117 in the compound machine 100 according tothe second embodiment. As shown in FIG. 11, when the secure application117 receives the message notifying that control right is provided fromthe SCS 122 in step S1001, the secure application 117 displays a cardinsert screen (not shown in the figure) on the operation panel 210 instep S1002. After that, the secure application enters an insert waitingstate of the flashcard 2007 in step S1003.

When the flashcard 207 is inserted in the flashcard interface part 206,the secure application 117 reads and obtains the user code from theflashcard 207 in step S1004. Then, the secure application 117 searchesthe user database 320 in step S1005, and checks whether the obtaineduser code exists in a record in the user database 320 in step S1006.

If the user code obtained from the flashcard 207 is registered in theuser database 320, it is determined that the user is a valid user.Processes hereinafter (steps S1007-S1009) are the same as processes(steps S606-S608) shown in FIG. 6 described in the first embodiment.

If the user code obtained from the flashcard 207 is not registered inthe user database 320, it is determined that the user is not a validuser, so that a user code error is displayed on the operation panel 210in step S1010, and the card inserting screen is displayed again in stepS1002.

As mentioned above, according to the compound machine 100 of the secondembodiment, the user code is recorded in the flashcard 207 beforehand,and the user code is input from the flashcard 207. Therefore,restriction of use can be realized without key operation by the user forinputting the user identification information. In addition, since theuser can store the user code by using the flashcard 207, management ofthe user code becomes easy.

Third Embodiment

According to the compound machine 100 in the first and secondembodiments, restriction of use is performed by the secure application117. In addition to that, according to the third embodiment, thecompound machine 100 obtains user history. The functional configuration,hardware configuration and the data structure of the user database 1120are the same as those shown in FIGS. 1, 2 and 4 described in the firstembodiment.

The secure application 117 performs the user restriction process. In theuser restriction process, the secure application 117 checks the user ofthe compound machine 100 by using the user code, and restricts use ofthe compound machine 100 such that only a user having a user coderegistered in the user database 1120 can use the compound machine 100.In addition, the secure application 117 performs a user restrictionprocess in which the secure application 117 provides only functions ofwhich a user has right of use among user services such as copy, printer,scanner and facsimile on the basis of right of use registered in theuser database 1120. In addition, the secure application 117 generates ause history file 1125 from a purpose of use, a document name and thelike input by the user, and stores the use history in the hard disk 205,and sends the use history to the PC 1507 and the remote centralizedmanagement apparatus via the network.

FIG. 12 is a figure for explaining flow of the user restriction processand user history generation process by the compound machine 100according to the third embodiment. FIG. 13 is a flowchart showing aprocedure of the user restriction process and the use history generationprocess performed by the secure application 117. FIGS. 14A-14C areexamples of the screen displayed on the display part of the operationpanel 210 in the use history generation process.

Processes after the compound machine 100 is launched until userrestriction, including providing control right to the secure application117 (steps S1101-S1112, and steps S1201-1205) are the same as thoseexplained in the first embodiment with FIGS. 3, 5 and 6 (stepsS301-S312, steps S501-S505, and steps S601-S605). In addition, the userselection screen and the user code input screen displayed on theoperation panel 210 in the user restriction process are the same asthose shown in FIGS. 9A and 9B described in the first embodiment.

When it is judged that the user code is registered in the user database1120, the secure application 117 displays an purpose selection screenfor selecting use purpose of the compound machine 100 on the operationpanel 210 as shown in FIG. 14A in step S1206. When the user pushes abutton having a purpose, the secure application 117 obtains the keyevent of the button via the OCS 126 and the SCS 122 in the same way asthe first embodiment, so as to display a document name selection screenshown in FIG. 14B in step S1207. When the user pushes a button of adocument name, the secure application 117 obtains the key event of thebutton, and obtains information of right of use from a record of theuser code by referring to the user database 1120 in steps S1208 andS112. The purpose of use corresponds to the use information of thepresent invention, and the document name corresponds to the useinformation and the document information.

Then, in the same way as the case of the compound machine of the firstembodiment, the function selection screen shown in FIG. 14C is displayedon the operation panel 210 such that the user selects a service name instep S1209 in which only service names to which the use of right is setcan be selected. Then, the selected service name is notified of to theSCS 122 in steps S1210 and S1113. Accordingly, in the same way as thecase of the first embodiment, the SCS 122 changes the control right fromthe secure application 117 to the selected application (which is a copyapplication 112 in the example of FIG. 12) in steps S1111 and S1115. Inthe selected application, a process specific for the application isperformed in step S1211.

When the process specific for the application ends, a paper size, thenumber of sheets processed and the like are sent to the secureapplication 117 as the result of the process specific to the applicationin step S1116, and the secure application 117 receives the informationin step S1212. Then, the secure application 117 generates use historyshown in FIG. 15 from current day and time, the user code, purpose thatthe user selected, document name, and the received paper size and numberof sheets in step S1213. The secure application 117 generates the usehistory as a file of the XML format. Accordingly, even when the usehistory 1125 is sent via the network, the use history can be easilydisplayed and managed on PC (personal computer) on the network.

The generated use history file 1125 is stored in the hard disk 205 insteps S1214 and S1117, and is sent to a terminal such as a PC 1507connected to a network or a remote centralized management apparatus 1500in step S1215. These sending processes are performed from the secureapplication 117 via the NCS 128. The secure application 117 and the NCS128 corresponds to the terminal sending means and the remote sendingmeans.

The process for sending the use history file 1125 to the PC and theremote centralized management apparatus will be described. FIG. 16 is ablock diagram of a remote centralized management system including thecompound machine according to the third embodiment. This remotecentralized management system includes the remote centralized managementapparatus 1500 and a plurality of compound machines 100 which areconnected by public circuits.

The remote centralized management apparatus 1500 includes a computer1501 for controlling the whole system, an external memory apparatus1502, and multi-channel communication control apparatus (CCU) 1503, inwhich the external memory apparatus 1502 is an optical magnetic disk, amagnetic tape, a flexible disk (FD), IC card or the like. A publiccircuit network 1504 is connected to the multi-channel communicationcontrol apparatus 1503. In addition, a plurality of pairs of a key cardapparatus 1506 and the compound machine 100 are connected to themulti-channel communication apparatus via each communication adapter1505. In addition, PCs 1507 are connected to the compound machine 100 asprinter clients by a network such as LAN.

The key card apparatus 1506 is connected to each compound machine 100that is located in a customer's site, and is configured such that useinformation and failure information of the compound machine are outputto the communication adapter 1505. The communication adapter 1505 isprovided near the key card apparatus 1506 and the compound machine 100.In addition, the communication adapter 1505 is connected to a facsimileapparatus or a telephone in the customer's site. The communicationadapter 1505 is configured such that data communication (off-talkcommunication method) is available between the multi-channelcommunication control apparatus 1503 and the communication adapter 1505via the public circuit network 1504.

The secure application 117 sends the generated use history file 1125 tothe remote centralized management apparatus 1500 via the key cardapparatus 1506 and the communication adapter 1505 by using the publiccircuit network 1504. In addition, the secure application 117 sends thegenerated use history file 1125 to the PC1507, which is a clientterminal, via the LAN.

As mentioned above, according to the compound machine 100, the secureapplication 117 requests selection of use purpose or document name fromthe user, and generates use history file 1125 from the input use purposeand the document name. Thus, the use purpose and the document name canbe stored as the use history file 1125, so that security can be improvedby using the use history.

In addition, since the compound machine of the third embodiment sendsthe generated use history file 1125 to the remote centralized managementapparatus 1500, the use history file 1125 can be referred to andcalculated in the remote centralized management apparatus 1500. Thus,the image forming apparatus can be properly managed on the basis of theuse history file 1125 by the remote centralized management apparatus.

Although history information includes use purpose and document nameaccording to the third embodiment, the compound machine 100 may generatehistory information including other information on use. For example, inaddition to the information items shown in FIG. 5, a link to OCR data ofdocuments and a link a thumbnail of documents can be recorded as the usehistory file, in which the OCR data and the thumbnail are automaticallygenerated. By recording such information, the use history file can beused for preventing fraud, in addition to managing use status.

In addition, although generation of the use history file 1125 isdescribed taking copy process as an example, the use history file 1125can be generated for other applications in the same way.

Fourth Embodiment

According to the compound machine 100 of first to third embodiments,secure application 117 that is provided in the application layerperforms user restriction and use history generation. According to thisforth embodiment, a secure control service provided in the controlservice layer performs user restriction and use history generationprocess.

FIG. 17 is a block diagram showing a functional configuration of acompound machine 1600 according to the fourth embodiment. The hardwareconfiguration of this compound machine is the same as that of thecompound machine 100 of the first embodiment. Difference between thecompound machine 1600 of the fourth embodiment and the compound machine100 of the first embodiment is that the compound machine is providedwith the secure control service 129 instead of the secure application117 as shown in FIG. 17.

The secure control service 129 performs a user restriction process inwhich the secure control service 129 checks a user of the compoundmachine 1600 by using a user code such that only a usr having a usercode registered in the user database 1730 can use the compound machine1600, in addition, the secure control service 129 checks right of useregistered in the user database 1730 such that the compound machine 1600provides only a function for which a user has use of right amongfunctions such as copy, printer, scanner, facsimile and the like.Further, the secure control service 129 generates a use history filefrom a use purpose, document name and the like that the user inputs, andstores the use history file in the hard disk 205. In addition, in thesame way as the compound machine of the third embodiment, the usehistory file is sent to the PC1507 and to the remote centralizedmanagement apparatus 1500 via the network. Both of the secure controlservice 129 and the NCS 128 forms terminal sending means and remotesending means of the present invention.

Next, the use restriction process and the use history generation processby the secure control service 129 according to the fourth embodimentwill be described. FIG. 18 is a figure for explaining flow of the userestriction process and the use history generation process.

SRAM 208 keeps a priority application area 1731 in which an applicationhaving control right is registered. SDRAM 203 includes an applicationregistration area 1732 and a shared memory area 1734, in which a name ofan application operating on the compound machine 1600 is registered inthe application registration area 1732, and the shared memory area 1734is shared by processes of applications and processes of control servicessuch as the SCS 122 and the secure control service 129. According to thecompound machine 1600 of the fourth embodiment, the secure controlservice 129 in the control service layer performs the user restrictionprocess and the use history generation process, and the applications 130for providing user services of copy, printer, scanner, facsimile and thelike launches first. Thus, unlike the SDRAM 203 of the compound machine100 of the first embodiment, the priority application area that iscopied from the SRAM 208 is not kept.

In the compound machine 1600 of the fourth embodiment, a secure servicearea 1733 is provided in the shared memory area 1734 for indicatingwhether the user restriction and the use history process is currentlyperformed by the secure control service 129. “ON” is set in the secureservice area 1733 by the secure control service 129 when starting theuser restriction and the use history process. When ending userrestriction and use history process, “OFF” is set by the secure controlservice 129. When the SCS 122 determines a sending destination of thekey event, the SCS 122 checks the secure service area 1733. When thecompound machine 1600 is initialized (launched), “OFF” is set in thesecure service area 1733.

The data structure of the user database 1730 stored in the hard disk 205is the same as that of FIG. 4 described in the first embodiment.

Like the compound machine 100 of the first embodiment, when the compoundmachine 1600 is launched, hardware is initialized and diagnosed, and thegeneral OS 121 is launched. After that, each control service and eachapplication are launched. The launched application 130 sends anapplication registration request message to the SCS 122 in step S1701.The SCS 122 that receives the message registers each application namethat sent the application registration request message in theapplication registration area 1732 in the SDRAM 203 in step S1702. FIG.18 shows an example in which the application registration requestmessage is received from the copy application 112. Thus, it is assumedthat the copy application is operating in the following description.

Next, the SCS 122 reads the priority application area 1731 of the SRAM208 in step S1703, and the SCS 122 sends a message to the copyapplication 112 that is set in the priority application area 1731 instep S1704, wherein the message indicates that the copy application 112is provided with control right for displaying a screen on the operationpanel 210 and obtaining a key operation.

The copy application 112 provided with the control right displays a userrestriction/use history selection screen on the operation panel 210 viathe OCS 126 as shown in FIG. 19, in which the screen is used forinstructing use of the functions of the user restriction/use history insteps S1705 and S1706.

When the user pushes “ON” button in the user restriction/use historyselection screen, the user restriction and use history generationprocess starts as described in the following. On the other hand, when“OFF” button is pushed, the user restriction and the use historygeneration process is not performed, so that normal process of theapplication 130 (copying in the case shown in FIG. 18) is performed. Inthe following, the first case in which “ON” button is pushed isdescribed.

FIG. 20 is a flowchart showing a procedure for obtaining a key operationfrom the operation panel 210 by the OCS 126 and the SCS 122. As shown inFIG. 20, when an key operation arises on the operation panel 210, theOCS 126 executes a key event function corresponding to a key or a buttonand sends a key event to the SCS 122 in step S1901.

When the SCS 122 receives the key event by receiving the key eventfunction call in step S1902, the SCS 122 checks whether “ON” is set inthe secure service area 1733 in the shared memory 1734 for determining asending destination of the key event in step S1903. That is, accordingto the fourth embodiment, an application 130 is always set in thepriority application area 1731, so that the application has the controlright. Therefore, the SCS 122 determines whether the key event is sentto the secure control service 129.

When “ON” is set in the secure service area 1733, the SCS 122 determinesthat a key operation is requested by the secure control service 129since the user restriction process and the use history generationprocess are being executed, and sends the key event to the securecontrol service 129 in step S1904.

On the other hand, when “OFF” is set in the secure service area 1733,the user restriction and the use history processes are not performed.Thus, the SCS 122 determines that there is no request for key operationfrom the secure control service 129, so that the SCS 122 sends theobtained key event to the application 130 (that has control rightcurrently) that is set in the priority application area 1731 of the SRAM208 in step S1905.

In FIG. 17, when the user pushes “ON” button on the user restriction/usehistory selection screen, the key event corresponding to the “ON” buttonis sent to the SCS 122 via the OCS 126 in steps S1707 and S1708. The SCS122 refers to the secure service area 1733 in step S1709. However since“OFF” is set at this time, the SCS 122 sends the obtained key event tothe copy application 112 in step S1710.

The copy application 112 that receives the key event of the “ON” buttonsends an execution request message for the user restriction and the usehistory generation process to the secure control service 129 in stepS1711. The secure control service 129 that receives the executionrequest message sets “ON” in the secure service area 1733 of the sharedmemory 1734 in step S1712 first.

Next, the secure control service 129 sequentially displays a userselection screen, a user code input screen, a purpose selection screen,a document name selection screen and a function selection screen on theoperation panel 210 via the OCS 126 in steps S1713 and S1714. Inaddition, the secure control service 129 obtains key operations fromeach screen via the OCS 126 and the SCS 122, and performs the userrestriction process by referring to the user database 1730 in stepsS1715-1719. Detailed processes for the user restriction are the same asthose by the secure application 117 described in the third embodiment.In these processes, since “ON” is set in the secure service area 1733 inthe shared memory 1734, the key event obtained by the SCS 122 is sent tothe secure control service 129, not to the copy application 129 in stepS1718.

When the secure control service 129 ends the user restriction process,the secure control service 129 sends a process result to the SCS 122 instep S1720. The SCS 122 sends a process end notification message to thecopy application 112 (that is set in the priority application area 1731)in step S1721. Then, the copy application 112 performs a copy process.When the copy process ends, the copy application 112 sends the processend notification message to the secure control service 129 with thepaper size and the number of processed papers in step S1722.

When the secure control service 129 receives the process endnotification message, the paper size and the number of papers, thesecure control service 129 generates the use history file 1735 shown inFIG. 15 by using XML format from current day and time, the user code,the purpose and document name that the user selected, the received papersize and the number of the papers. Then, the use history file 1735 isstored in the hard disk 205 in step 1723. In addition, the securecontrol service 129 sends the use history file 1735 to the PC1507 andthe remote centralized apparatus 1500 via the NCS 128 like the compoundmachine 100 of the third embodiment.

Finally, the secure control service 129 sets “OFF” in the secure serviceare 1733 of the shared memory 1734 in step S1724, so that the userrestriction process and the use history generation process end.

As mentioned above, the compound machine is provided with the securecontrol service 129 in the control service layer, and the secure controlservice 129 performs the user restriction process and the use historygeneration process. Thus, the use history generation function can becommonly provided for the applications 130 that are operating on thecontrol service layer, so that software development labor for securityfunctions can be decreased.

Although user restriction and generation of the use history file 1735are described taking copy process as an example according to the fourthexample, user restriction and generation of the use history file 1735can be performed for other applications in the same way.

Although the compound machine according to the first to fourthembodiments, the OCS 126 once receives the key event of the keyoperation from the operation panel 210 and the OCS 126 sends the keyevent to the SCS 122, the SCS 122 may directly obtains the key eventfrom the operation panel 210. In this case, the OCS 126 has onlyfunctions for outputting drawing to the operation panel 210.

As mentioned above, the image forming apparatus includes: at least anapplication for providing a user service relating to an image formingprocess; an operation panel for receiving a key operation input; a userdatabase in which user identification information for identifying anuser of the image forming apparatus is included; a secure program(corresponding to the secure application) used for determining whetherthe user service can be provided on the basis of the user identificationinformation in the user database and another user identificationinformation input by the user.

In the image forming apparatus, the image forming apparatus may executethe secure program so as to authenticate the user when a key operationinput for executing the application is received by the operation panel.In addition, the image forming apparatus may execute the secure programso as to authenticate the user when an application selection operationis performed on an application selection screen displayed on theoperation panel.

The image forming apparatus further includes hardware resources used forimage forming processes, and at least a control service between theapplication and the hardware resources, wherein the secure program is ansecure application included in the image forming apparatus as one of theapplication.

According to the image forming apparatus, users of the image formingapparatus can be restricted to ones that are registered beforehand, sothat security of the image forming apparatus can be improved. Inaddition, since the image forming apparatus has the configuration havingthe control service for requesting, managing and performing executioncontrol of hardware resources, the security function can be realizedonly by providing the user database and the secure application. Thus,compared with the conventional image forming apparatus, security can beeasily improved. In addition, since the application is operated on theapplication layer in the image forming apparatus, data can besent/received between the secure application and the control service byusing application program interfaces. Thus, work load for developing thesecure application and the control service can be decreased.

“user service” in this specification is a service related to imageforming process performed by a copier, a printer, a scanner, a facsimileor the like. For example, if a new service becomes providable byaddicting the new application, a user service of the new application isincluded in “user service”.

In addition, “user identification information input by user” includesuser identification information input by key operation from theoperation panel, and user identification information input by insertinga recording medium such as a flashcard into a recording medium interfacepart.

In the image forming apparatus, the user database registers use rightinformation indicating usable one or more user services for each pieceof user identification information, and the secure application restrictsuse of one or more application on the basis of the user rightinformation.

According to the image forming apparatus, a user service to be providedto a user can be changed according to the user, so that security can beaugmented in consideration of section or position of the user.

In the image forming apparatus, control right for the operation panel isprovided to the secure application, and the image forming apparatusfurther includes: a system control service for sending a key eventcaused by a key operation from the operation panel to the secureapplication.

According to the image forming apparatus, since control priority for theoperation panel is provided to the secure application, it can be avoidedthat other application outputs drawing on the operation panel and it canbe avoided that a key operation from the operation panel is obtained byother application while user restriction process is being executed bythe secure application. Thus, the security can be enhanced while theuser restriction process is being executed.

In the image forming apparatus, the image forming apparatus furtherincludes: a memory part for keeping a priority application area in whichat least an application to which the control right is given isregistered; wherein the system control service registers the secureapplication in the priority application area when the image formingapparatus is launched.

According to the image forming apparatus, the secure application can beautomatically executed first among applications. The security can beenhanced when the image forming apparatus is launched.

In the image forming apparatus, the system control service gives controlright to an application other than the secure application after thesecure application determines whether an user service can be provided tothe user, and the system control service sends a key event to theapplication to which control right is given.

Accordingly, right after the user restriction process by the secureapplication ends, a normal user service can be provided by otherapplication.

In the image forming apparatus, the secure application requests the userto select a user service after the secure application determines whethera user service can be provided to the user, and the system controlservice gives control right to an application corresponding to the userservice that the user selected.

Accordingly, right after the user restriction process by the secureapplication ends, a user service that the user wants can be provided.

The image forming apparatus may further includes an operation panelcontrol service for outputting drawing information of a screen of userrestriction on the operation panel, obtaining a key event from thescreen of user restriction, and sending the key event that is obtainedto the system control service. By the operation panel control service,output of screen on the user restriction and key operation on the screencan be performed smoothly.

In the image forming apparatus, the operation panel control serviceincludes a service function library including drawing functions foroutputting drawing information, herein the secure application requestsoutput of drawing information by calling the drawing functions.

According to the image forming apparatus, the screen on the userrestriction can be output on the operation panel by using a simpleinterprocess communication by a function call. Thus, work load fordeveloping the secure application can be decreased.

In the image forming apparatus, the secure application receives the useridentification information from a recording medium storing the useridentification information beforehand. Accordingly, the user restrictioncan be realized without inputting the user identification information byperforming key operation by the user, so that convenience for the userimproves. In addition, since the user can keep the user identificationinformation as the recording medium, management of the useridentification information becomes easy.

According to the present invention, the image forming apparatus mayincludes hardware resources used for image forming processes, and atleast a control service between the application and the hardwareresources, wherein the secure program is an secure control serviceincluded in the image forming apparatus as one of the control service.According to the image forming apparatus, since the secure controlservice operates on the control service layer, the user restrictionfunction can be commonly provided to one or more applications operatingabove the control service layer. Thus, it becomes unnecessary to developsoftware of the security function for each user service individually, sothat work load for developing software decreases.

In the image forming apparatus, the user database registers use rightinformation indicating usable one or more user services for each pieceof user identification information, and the secure control servicerestricts use of one or more application on the basis of the user rightinformation.

According to the image forming apparatus, a user service to be providedto a user can be changed according to the user, so that security can beaugmented in consideration of section or position of the user.

In the image forming apparatus, whether the secure control serviceperforms a user restriction process or not is determined according toselection by a user.

According to the image forming apparatus, the user can determineswhether the security function is used while the security function isinstalled. Thus, usability of the image forming apparatus increases.

The image forming apparatus may further includes: a memory part forkeeping a secure service area in which execution state of the securecontrol service is set; and a system control service for sending a keyevent from the operation panel to the secure control service when thesecure service area indicates that the secure control service isexecuted, and for sending the key event to the application when thesecure service area indicates that the secure control service is notexecuted.

According to the image forming apparatus, the key event input from theoperation panel can be switched according to whether the userrestriction process is being executed, so that malfunction of the userservice and the security function can be avoided.

The image forming apparatus may further includes: an operation panelcontrol service for outputting drawing information of a screen of userrestriction on the operation panel, obtaining a key event from thescreen of user restriction, and sending the key event that is obtainedto the system control service.

In addition, the present invention is an image forming apparatus,including: at least an application for providing a user service relatingto an image forming process; an operation panel for receiving a keyoperation input; a secure program for requesting a user to input useinformation on use status of the image forming apparatus, and generatinguse history information on the use information; and a control programfor obtaining a key event on the use information input from theoperation panel, and sending the key event to the secure program.

The image forming apparatus further includes hardware resources used forimage forming processes, and at least a control service between theapplication and the hardware resources, wherein the secure program is ansecure application included in the image forming apparatus as one of theapplication, and the control program is a system control serviceincluded in the image forming apparatus as one of the control service.

According to the image forming apparatus, the security can be enhancedin consideration of history of use status. In addition, since the secureapplication is operated on the application layer in the image formingapparatus, data can be sent/received between the secure application andthe control service or other control services by using applicationprogram interfaces. Thus, work load for developing the secureapplication and the system control service can be decreased.

In the image forming apparatus, the secure application requests input ofdocument information indicating the kind of a document to be processedas the use information, and the secure application generates the usehistory information on the basis of the document information.

According to the image forming apparatus, the kinds of documents can bestored in addition to the use status of the image forming apparatus asthe use history information. Thus, the security can be enhanced inconsideration of history of documents processed in the past.

According to the present invention, the image forming apparatus mayfurther includes hardware resources used for image forming processes,and at least a control service between the application and the hardwareresources, wherein the secure program is an secure control serviceincluded in the image forming apparatus as one of the control service,and the control program is a system control service included in theimage forming apparatus as another one of the control service. Thus, thesecurity can be enhanced in consideration of history of documentsprocessed in the past. In addition, according to the image formingapparatus, since the secure control service operates on the controlservice layer, the use history generation function can be commonlyprovided to one or more applications operating above the control servicelayer. Thus, it becomes unnecessary to develop software of the securityfunction for each user service individually, so that work load fordeveloping software decreases.

The image forming apparatus further includes a terminal sending part forsending the use history information to a client terminal connected to anetwork. Accordingly, the use history information can be stored not onlyin the image forming apparatus but also in the client terminal. Thus,calculation and processing on the use history information becomesavailable as necessary, so that the use history information can be suedeffectively.

The image forming apparatus may further includes a remote sending partfor sending the use history information to a remote centralizedmanagement apparatus for collecting operation information from aplurality of image forming apparatuses connected to a network. By thisconfiguration, the remote centralized management apparatus can refer toor perform processing on the use history information. Thus, the remotecentralized management apparatus can perform proper management of theimage forming apparatus on the basis of the use history information.

In addition, the present invention is a user restriction method forrestricting use of an image forming apparatus by an user, the imageforming apparatus comprising: at least an application for providing auser service relating to an image forming process; and an operationpanel for receiving a key operation input, the user restriction methodcomprising the steps of: receiving user identification information foridentifying an user of the image forming apparatus; and a secure programin the image forming apparatus determining whether the user service canbe provided on the basis of another user identification informationregistered in a user database in the image forming apparatus and theuser identification information that is received.

In addition, an use history generation method is provided, in which theuse history generation method is used for generating use history of animage forming apparatus, image forming apparatus comprising: at least anapplication for providing a user service relating to an image formingprocess; and an operation panel for receiving a key operation input, theuse history generation method comprising the steps of: a secure programin the image forming apparatus requesting a user to input useinformation on use status of the image forming apparatus, and generatinguse history information on the use information; and a control program inthe image forming apparatus obtaining a key event on the use informationinput from the operation panel, and sending the key event to the secureprogram.

In addition, a computer readable medium is provided, in which thecomputer readable medium stores program code for causing an imageforming apparatus to perform a user restriction process, the imageforming apparatus comprising: at least an application for providing auser service relating to an image forming process; an operation panelfor receiving a key operation input; and a user database in which useridentification information for identifying an user of the image formingapparatus is included, the computer readable medium comprising: secureprogram code means for determining whether the user service can beprovided on the basis of the user identification information in the userdatabase and another user identification information input by the user.

In addition, a computer readable medium is provided, in which thecomputer readable medium stores program code for causing an imageforming apparatus to generate use history information, the image formingapparatus comprising: at least an application for providing a userservice relating to an image forming process; and an operation panel forreceiving a key operation input, the computer readable mediumcomprising: secure program code means for requesting a user to input useinformation on use status of the image forming apparatus, and generatinguse history information on the use information.

According to the computer readable medium such as a floppy disk,magnetic tape, CD-ROM and the like, by installing the program stored inthe computer readable medium into an image forming apparatus, the imageforming apparatus can perform the user restriction function or the usehistory generation function of the present invention.

The present invention is not limited to the specifically disclosedembodiments, and variations and modifications may be made withoutdeparting from the scope of the present invention.

1. An image forming apparatus comprising: a hardware controllerconfigured to control hardware that includes at least a scanner or aprinter; an operating system configured to operate the hardwarecontroller; and an application configured to provide a user with anoperation of the image forming apparatus using the hardware, wherein theimage forming apparatus is configured such that secure software forperforming user authentication can be installed separately from theapplication; when the secure software is not installed, the imageforming apparatus is configured to allow the user to operate the imageforming apparatus via the application; and when the secure software isinstalled, the image forming apparatus is configured to allow the userto operate the image forming apparatus, via the application, only whenthe user authentication using the secure software authenticates theuser.